Planning a Segregation of Duties System
Every business environment has unique segregation of duties requirements. You may find it helpful to create a high-level overview of your business environment and use a top-down approach when defining your segregation of duties requirements.
QAD delivers a set of default roles and segregation of duties categories that facilitate the implementation of segregation of duties. You can load the default segregation of duties data using SOD Import/Export (36.3.27.15). See
Importing and Exporting Segregation of Duties Data.
Before you begin to set up segregation of duties functions, consider creating:
• A detailed segregation of duties plan including details such as:
• A detailed list of your roles and their business responsibilities
• A detailed list of resources that are in conflict
• A detailed list of the associations required between application resources, segregation of duties category code, and role
• A detailed list of the segregation of duties policy exceptions required
• A maintenance schedule for planning when, and under what conditions, your segregation of duties policy will be reviewed and changes implemented
• An information retention plan detailing how long segregation of duties-related information, such as log files, are kept online for reporting purposes
• An archive plan detailing when segregation of duties log records are archived and where they are stored
• A detailed segregation of duties plan that describes how the business functions within your system will be segregated according to roles
Consider the following points:
• Legislation such as the Sarbanes-Oxley Act is designed toward achieving transparency of disclosure, integrity of business operations, and financial accountability for accurate reporting. As such, this may require your organization to comply with specific and stringent electronic information retention regulations. Make sure you are familiar with the impact such legislation has on your specific industry or region.
• Completing the segregation of duties setup correctly the first time will help to minimize the number of segregation of duties policy conflicts that will require corrective action. Also, closely monitor any changes that must be applied to your segregation of duties setup.
• To minimize the number of potential segregation of duties conflict violations in your system, try to define as few constraints—that is, the number of incompatible categories in your system—as possible.